Identification of interested parties gives crucial input for developing your information security management system (ISMS) or business continuity management system (BCMS).
Who are interested parties?
Stakeholders, people or organizations that can influence your information security or persons or organizations that can be affected by your information security or business continuity activities.
Interested parties and requirements could include:
- Employees – understand their security obligations
- shareholders/owners of the business – security of investment and a good return
- government agencies/regulators – comply with information security/business continuity laws and regulations
- emergency services (e.g. firefighters, police, ambulance, etc.) – access and information requirements
- clients – comply with security clauses or requirements in contracts
- media – quick and accurate news related to your incidents
- suppliers and partners – understand any security requirements in contracts
- … anyone else that you consider important for your business.
Why are interested parties important?
The identification of interested parties and their requirements is important as you need to know what all the interested parties want from you, and you need to figure out how to satisfy all these requirements in your ISMS / BCMS.
The best way to collect this information is to study their written requirements (legislation, contracts, etc.) and/or interview their representatives.
Once you have all this information, you will need to “configure” your information security to be compliant with your stakeholder expectations – this means you’ll have to identify the requirements before you start developing the details of your ISMS or BCMS.
How is this done?
We document a procedure that defines who is in charge of identifying all the interested parties and their legal, regulatory, contractual and other requirements and interests; such a procedure also needs to define who is in charge of updating this information and how often this is done.
Once we have the procedure documented we typically carry out a workshop to gather the requirements in an interactive whiteboard session. This is also a great way to involve the various stakeholders in the project at an early stage.
Once the requirements are clearly identified, we need to define who is in charge of complying with them.